What is shift left?
In its most simple terms, “shift left” security is moving security to the earliest possible point in the development process. Modern CI/CD typically involves an eight-step process as shown in Figure 1 below. Many security teams only become involved in the concluding steps of operations and monitoring. Consider that shift-left security is good for reducing not only cyber risk but also cost. The System Sciences Institute at IBM found that addressing security issues in design was six times cheaper than during implementation. The same study also found that addressing security issues during testing could be 15 times costlier.
Being intentional about embedding security in each of these steps starts with a clearly defined strategy.
Step 1: Define your shift-left security strategy
The first step of any journey is to define where you intend to go. Do not underestimate the power of a concisely (ideally one-page) written strategy document. It is critical to define what shift-left means in your organization. This is about painting the most vivid picture possible for your teams so they know what success looks like. Key items to include in this document are vision, ownership/responsibility, milestones, and metrics. Expect the strategy document to mature over time and don’t spend too much time trying to perfect it. Iteration over time is essential.
Step 2: Understand where and how software is created in your organisation
Perhaps one of the most challenging aspects of shifting security left is getting a handle on how and where software is created in your organisation. Depending on the size of your company, this could be straightforward to extremely challenging. This step is significant because the end result is what allows the security team to understand where they can actually move security closer to development. Large organisations that have not undertaken this process will likely spend a few months digging and taking development teams out to lunch (food always seems to work) when geography permits. Oftentimes, development is outsourced to multiple vendors, which will require additional work and sometimes contract reviews. Small and medium-sized organisations will find this step relatively straightforward but equally rewarding.
The goal of this step is to take a first look at the wider organisation, and document the overall flow of software in your company. Medium to large organisations will want to start at the macro level and then drill into individual business units. It is highly likely that each business unit will have its own software development process and tools. Key items to identify in this phase include who is developing code (people), how it flows from development laptops to production (process), and which systems they are using to enable the process (technology). This may also be referred to as the CI/CD toolchain. Undoubtedly, much of your software development is being done in the public cloud.
Step 3: Identify and implement security quality guardrails
Quality assurance has always been part of the software development lifecycle. However, software quality has not historically included security. This must change, and the work done in the previous steps will arm you to do this. Every step of the software development process is an opportunity to give feedback and look for security issues. The most effective security teams start small. They arm development teams with simple and effective tools that become part of the daily development routine.
Step 4: Assess and continuously train development teams in secure coding
Developers clearly know how to code, but do they know how to do it securely? Part of your journey to shifting security left is to ensure that those who do most of your coding create secure code in the first place. This is difficult to do if you have no objective measure of where their skills stand today and no plan to improve them continually over time. Given that in one survey, 19% of developers said they were unfamiliar with the OWASP Top 10, this is an area that should not be overlooked. Further underscoring this point was a recent survey published by DevOps service provider GitLab, which found that 70% of programmers are expected to write secure code, but only 25% think their organization’s security practices are “good.” If only 25% of developers feel this way, security teams have a lot of work to do in this area.
What shift-left security looks like
Let’s look at two scenarios where we’ve simplified development into build, deploy, and run phases.
In Scenario No. 1, development starts without security. Software quality is only checked during runtime. This often results in an uneasy conversation between security and development when vulnerabilities are found.
In Scenario No. 2, however, security teams have invested the time to understand the development process in their organization. They have also taken the time to embed security processes and tools in the CI/CD pipeline, resulting in automated security quality guardrails.
Conclusion
Utilising the four steps above will put your organisation on a solid path towards not only shifting security left but making security synonymous with development. As your company moves towards shift left as part of its cloud journey, it’s critical that security controls be automated and API-driven. Many companies empower security teams to do exactly that by securing DevOps and your CI/CD pipeline.
Check out all the software testing webinars and eBooks here on EuroSTARHuddle.com
